re: I kill every VPS I touch VIEW POST


I've used some s****y passwords

Some other things for your list:

  • Get rid of passwords where possible — for remote SSH only allow key-based logins
  • Set good passwords on your keys
  • Keyring tools (pageant.exe, ssh-agent, gpg-agent, etc.) make it so that even with a ridiculously complex password, you only need to enter it once every few hours.
  • Set up 2FA - especially for accounts that have the ability to perform privileged tasks. There's a couple good options out there for Linux and, thanks to PAM, can be used to secure more than just remote-logins' initial credential-negotiation.
  • Especially if you're managing an Internet-facing system that you have no ability to restrict SSH to a list of trusted hosts/IPs, set up your system to automatically black-hole password guessers — temporarily or permanently. This can be accomplished in iptables or by way of third-party tools.

I've locked myself out via iptables

Whenever you're considering adding new rules (you still use iptables, directly, rather than via firewalld?), only add them to the running configuration, not the on-disk configuration. If you lock yourself out, instead of having to rebuild (even if your VPS provider doesn't offer remote there may be alternatives to rebuilding), all you need to do is reboot to make the offending rule go away. Once you've validated that your new rule does what you need it to do, then save the config to disk.

You haven't lived until you've locked yourself out of a co-located physical system and had to make an hour-long drive to fix a bad firewall rule. It tends to pretty firmly instill habits.

code of conduct - report abuse